tfsec is a static analysis tool and infrastructure as code linter designed to detect security misconfigurations and compliance violations in Terraform infrastructure code. It functions as a cloud security posture tool and policy enforcement engine that evaluates configurations against established security benchmarks.
The tool provides multi-cloud security auditing for providers including AWS, Azure, Google Cloud, and Kubernetes, as well as specialized scanning for DigitalOcean, OpenStack, CloudStack, and GitHub configurations. It identifies insecure settings such as public access or unencrypted storage across compute, networking, and identity services.
The engine includes capabilities for complex expression evaluation to resolve functional expressions and resource relationships, ensuring misconfigurations are detected beyond literal string values. It supports custom policy definitions for organization-specific standards and allows for security warning suppression via source code comments or command-line flags.
The scanner is designed for CI/CD security integration as a standalone binary or container, with the ability to export findings in structured formats such as JSON, SARIF, and CSV.
